OneLogin SAML SSO Integration Set up
Last updated: 04 November 2020
To add Trend Micro Cloud One™ – Conformity as a custom SAML 2.0 app in OneLogin:
1. Sign in to OneLogin as an Admin.
2. Go to Applications > Applications.
3. Click the Add App button from the top-right corner.
4. From Find Applications, search and select SAML Test Connector (Advanced).
5. Update Display Name to Cloud Conformity, upload the attached icons, and Save.
6. In Configuration tab, enter the following:
- Relay State: REGION_OF_SERVICE:YOUR_DOMAIN for example: us-west-2:example.com
- Audience: https://www.cloudconformity.com
- Recipient: https://www.cloudconformity.com
- ACS (Consumer) URL Validator: https://www\.cloudconformity\.com/v1/proxy/sso/saml/consume
- ACS (Consumer) URL: https://www.cloudconformity.com/v1/proxy/sso/saml/consume
- Login URL: https://www.cloudconformity.com/identity/saml-sign-in.html
- Single Logout URL: https://www.cloudconformity.com/v1/proxy/sso/saml/logout
- SAML Initiator: OneLogin
- Encrypt assertion: Yes
- SAML encryption method: AES-256-CBC
-
SAML encryption public key: Once you select the Encrypt assertion as ‘yes’ you will be able to see this field. Paste the contents of cloud-conformity-sso-x509.pem
7. In the Parameters tab, add:
- firstName (First Name)
- lastName (Last Name)
- role
- User Roles: select User Roles
- Semicolon Delimited multi-value: to select a semi-colon delimited value:
- Select the flag from SAML assertion
- Select Multi-value
- From the drop-down list, select Semicolon Delimited Input
Make sure that you have selected the flags for SAML assertion and these parameters are all added before you save and move to the next step.
Note: You do not need to map the email.
8. Ensure that OneLogin is configured to send role claim to Conformity:
- Create new roles for Conformity Admin, Power-user, Read-only, and Custom roles
- In the Access tab, select the roles you created for Conformity:
- Verify that the “role” parameter created in step 6 is linked to “User Roles” and configured as a semicolon-delimited input and multi-value output.
Note: We recommend creating a User Role for at least Admin users so we can automatically assign users to their correct role on Conformity side.
Supported roles are:
- Admin: This is the super-user or organization administrator, and can perform any operation.
- Power-user: Full access to all existing accounts
- Read-only: Read-only access to all existing accounts
- Custom: No access by default, can be granted account-level permissions on Cloud Conformity user management console.
If you set up User Roles, we would need to know role names to complete the mapping; otherwise, all users will default to Admin.
9. In the SSO tab, set the SAML Signature Algorithm to SHA-512.
10. Click the Save button from the top right of the page to save the app configuration.
11. From the More Actions drop-down, download the SAML metadata XML file. You will need it in the next steps.
12. Follow the instructions from Step 2 onwards to Configure SSO settings in Conformity.